From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E31C5C43381 for ; Sun, 31 Mar 2019 14:50:29 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id B0E432146F for ; Sun, 31 Mar 2019 14:50:29 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="kXtvBcw8" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731255AbfCaOu2 (ORCPT ); Sun, 31 Mar 2019 10:50:28 -0400 Received: from mail-pf1-f195.google.com ([209.85.210.195]:36422 "EHLO mail-pf1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731130AbfCaOu2 (ORCPT ); Sun, 31 Mar 2019 10:50:28 -0400 Received: by mail-pf1-f195.google.com with SMTP id z5so2238552pfn.3 for ; Sun, 31 Mar 2019 07:50:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :in-reply-to:references; bh=LlT40+LZlim+/M8POe1klP+4OF4KeWujDWlKmr61fcg=; b=kXtvBcw8m601KCyPLzgkJYK+Lv2BuqFHZKqC0BXqrdfYpivntGRiKfEdQh0cLNUw67 32E2gb9uC57Ec/JuPQrZe9doUA2KKcJTBViMi7Aw/4VXy8eB0SpmShTuYh/4IRDoveZY 1sqF1HKt1jVEtfEEIVV+SuypA/3TWZdWuqjSG1yUpzN+4twwG59xnTPtF+mW7YwdnxUV HSLGXGpuzk5WZ2P1z9jOYnhdTwygdhCFr/q+m7p5MGOho4zyPa5quWUDoQubPfIhlXpx LA+aKNDu4WGTLl467ptrNiqv07yP+zVowtHmjRTOmTGFOz/9YRaj7A1yXkH6oRwvF9QU kxPw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:in-reply-to:references; bh=LlT40+LZlim+/M8POe1klP+4OF4KeWujDWlKmr61fcg=; b=U6IdLzama8OFaa7cbbSlvHZhCvmB4shxDF7mEBvGCDAS9jOKBWEKl6so6wNTlCTX1c 3YQpAaSiVLCmyWZhzEathG5D0HRNFNGAIF2eXrFStwoKUbw9OEzfR0w6cAVUsb+ab+BS PunVeezSb/jW4ya92n3/cpmteUdt9QX5e8qMwpFKxsCNKIxEN4/t7ZXxjVO7hyA1Tlvr CJFN/ado6b0+7iLePY9JC4el9VBr3l7MvE5N/OKyuqIEiFkv1JN2vtifHQ+P7m75dEZv YQ0FJDTq4wKUu0M4Fs5CS5kPI7/Z+zLr+CCFdDvv4kKp+EY7AtiYu/++KOo94S5Pehwg FWyg== X-Gm-Message-State: APjAAAWXz2OQ5ZEIPqObfLfmk3kMQaaUaZcTpBKcIXcqW+GrrZQpTcTw X2ChK1MYtGZk1QwiOoBVeLDPaAdxhdY= X-Google-Smtp-Source: APXvYqyEmPvXQGkarGZusl6HmZHueABi2Ixn/ZrAnT0IjQhmHI0ga2CtsxK2G3QRodyExx8pADqBGA== X-Received: by 2002:aa7:85d9:: with SMTP id z25mr47480501pfn.31.1554043827568; Sun, 31 Mar 2019 07:50:27 -0700 (PDT) Received: from localhost ([209.132.188.80]) by smtp.gmail.com with ESMTPSA id z8sm11362803pgz.3.2019.03.31.07.50.26 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 31 Mar 2019 07:50:26 -0700 (PDT) From: Xin Long To: network dev Cc: davem@davemloft.net, Jon Maloy , Ying Xue , tipc-discussion@lists.sourceforge.net, syzkaller@googlegroups.com Subject: [PATCH net 1/3] tipc: check bearer name with right length in tipc_nl_compat_bearer_enable Date: Sun, 31 Mar 2019 22:50:08 +0800 Message-Id: <19cb47f4096770465dc8a9fb08cfaedc2fb70da4.1554043518.git.lucien.xin@gmail.com> X-Mailer: git-send-email 2.1.0 In-Reply-To: References: In-Reply-To: References: Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Syzbot reported the following crash: BUG: KMSAN: uninit-value in memchr+0xce/0x110 lib/string.c:961 memchr+0xce/0x110 lib/string.c:961 string_is_valid net/tipc/netlink_compat.c:176 [inline] tipc_nl_compat_bearer_enable+0x2c4/0x910 net/tipc/netlink_compat.c:401 __tipc_nl_compat_doit net/tipc/netlink_compat.c:321 [inline] tipc_nl_compat_doit+0x3aa/0xaf0 net/tipc/netlink_compat.c:354 tipc_nl_compat_handle net/tipc/netlink_compat.c:1162 [inline] tipc_nl_compat_recv+0x1ae7/0x2750 net/tipc/netlink_compat.c:1265 genl_family_rcv_msg net/netlink/genetlink.c:601 [inline] genl_rcv_msg+0x185f/0x1a60 net/netlink/genetlink.c:626 netlink_rcv_skb+0x431/0x620 net/netlink/af_netlink.c:2477 genl_rcv+0x63/0x80 net/netlink/genetlink.c:637 netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline] netlink_unicast+0xf3e/0x1020 net/netlink/af_netlink.c:1336 netlink_sendmsg+0x127f/0x1300 net/netlink/af_netlink.c:1917 sock_sendmsg_nosec net/socket.c:622 [inline] sock_sendmsg net/socket.c:632 [inline] Uninit was created at: __alloc_skb+0x309/0xa20 net/core/skbuff.c:208 alloc_skb include/linux/skbuff.h:1012 [inline] netlink_alloc_large_skb net/netlink/af_netlink.c:1182 [inline] netlink_sendmsg+0xb82/0x1300 net/netlink/af_netlink.c:1892 sock_sendmsg_nosec net/socket.c:622 [inline] sock_sendmsg net/socket.c:632 [inline] It was triggered when the bearer name size < TIPC_MAX_BEARER_NAME, it would check with a wrong len/TLV_GET_DATA_LEN(msg->req), which also includes priority and disc_domain length. This patch is to fix it by checking it with a right length: 'TLV_GET_DATA_LEN(msg->req) - offsetof(struct tipc_bearer_config, name)'. Reported-by: syzbot+8b707430713eb46e1e45@syzkaller.appspotmail.com Signed-off-by: Xin Long --- net/tipc/netlink_compat.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c index 4ad3586..5f8e53c 100644 --- a/net/tipc/netlink_compat.c +++ b/net/tipc/netlink_compat.c @@ -397,7 +397,12 @@ static int tipc_nl_compat_bearer_enable(struct tipc_nl_compat_cmd_doit *cmd, if (!bearer) return -EMSGSIZE; - len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_BEARER_NAME); + len = TLV_GET_DATA_LEN(msg->req); + len -= offsetof(struct tipc_bearer_config, name); + if (len <= 0) + return -EINVAL; + + len = min_t(int, len, TIPC_MAX_BEARER_NAME); if (!string_is_valid(b->name, len)) return -EINVAL; -- 2.1.0